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ABSTRACT 


This thesis investigates the feasibility and utility of 
the Computer System Design Language (CSDL) and its design 
environment. The primary purpose of this design system is 
to automatically design microprocessor based controller 
prototypes given a description of the controller's behavior. 
CSDL is used to create a highly structured behavioral 
description which is used by the design environment to 
create a software and hardware listing. A "generic" gas 
turbine engine start malfunction controller is developed 


Memma Gopi and tested on a Prolog development system. 
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ln RODUCTION 


ive desrqneer electronic devices for use in control 
applications has traditionally been a long, tedious process. 
In the past a designer would specify the desired behavior 
Peweie controller, From this behavioral description a 
definition of the inputs and outputs could be made. Next, 
Functions would be derived mapping the input signals to the 
Output signals uSing boolean algebra and truth tables. If 
the design were to be implemented using discrete logic 
gates, these functions would be used to define a "sum of 
products" equation describing the gates required to build 
memes controller. Often the original equation could be 
minimized using Karnaugh Maps or Quine-McCluskey 
Minimization (reducing the number of gates required) anda 
Seawenos in cost realised [Ref. l: pp. 92-126]. Once the 
design was complete the project could be prototyped for 
further testing. Any follow-on designs would go through 
this same process until the desired configuration was 
obtained. 

This traditional view of design grew out of an era when 
Microprocessors and computer aided design principles were 
not yet accepted practice and when hardware was the primary 
cost in systems design. Today, the microelectornics 
industry has reduced the cost of a Zilog Z-80 microprocessor 


momileceethan S5.00 [Ref. 2: p. 536] and of a quad two-input 





Meeemgate tO less than $1.00 (Ref. 3: p. 124i. Clearly, the 
major costs of system development will be in the design and 
Pieetcatmem or Drinted Circuit boards, data buses and 
mieourace hardware in addition to the generatéon of software 
(in the case of microprocessor based controllers), activities 
which are highly labor intensive. Additionally, Computer 
Aided Design (CAD) has been used successfully in a number of 
industries including aerospace, automotive and electronics. 
These industries have been most successful in implementing 
CAD in terms of "hardware" (airplane parts, auto parts and 
comuter circuits). By using computers to selectively access 
libraries of standard components, industry has been able to 
cut the costs and time required to develop complicated 
assemblies. [Ref. 4: pp. 63-66] 

In most engineering projects a proof of concept is a 
required step in development before further expenses are 
incurred. DeSign errors must be eliminated early in the 
life of a project to avoid the excessively high repair costs 
when a device reaches the production stage. One of the most 
commonly accepted methods for proving a concept is to build 
a prototype and exhaustively test it. In designing a 
prototype the engineer usually reduces the scope of the 
problem to show only the essential or controversial aspects 
of the device. This reduces the manufacturing cost and 
complexity of the prototype. The problem with designing a 


prototype is that the level of effort required to design and 
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fabricate s single test device may be extremely high 
Zioeateive tO the cost Of a project as a whole, particularly 
if the device is software intensive. Additionally, it is 
desirable to have as many different implementations 
prototyped as possible, so one can chose the best design 
of a given project. 

A designer, using traditional methods, would be required 
tO write a behaviorial description, select hardware which 
best suits the task at hand and then write hardware-specific 
software to implement the design. This process, when used 
tO produce several prototypes, can take as long as the time 
it takes to go through full systems development. Computer 
Aided Design (CAD) techniques can reduce time and cost 
required to produce workable prototypes by mechanizing the 
selection of hardware and software elements thus requiring 
the designer to produce only a behavioral description of the 
task. High level programming languages also follow this 
pattern of automated design in the sense that a library of 
machine or assembly language code is used to assemble a 
machine readable program from a "high level" problem 
description. The programmer is still responsible for 
ferwirngeehe problem, but instead of having to do so at the 
machine level he can use a more "user friendly" medium-the 
high level language. 

Automated design is being applied to the design of 
iiemoarocessor based controllers through research currently 


being conducted at the Naval Postgraduate School under the 


iy 





direction of LTC Alan Ross [Ref. 5]. This research project 
1S an outgrowth of a doctoral thesis authored by Ross in 
which he implemented automated system design principles 
proposed by Matelan. [Ref. 6] This design environment 
requires a behavioral description in a high level language 
as the only input to generate both a hardware listing and a 
software listing which can then be compiled and linked for 
the controller under design. Ross's system, called the 
Computer System Design Language, 1S described in the next 
chapter. 

The purpose of this research project is to validate the 
CSDL system by designing and building a prototype of a 
microprocessor based controller for a generic gas turbine 
engine using Ross's design environment. To date, two other 
projects have used Ross's system to design microprocessor 
based controllers but none have actually compiled source 
code or constructed the hardware necessary to support the 
Peewee fhis project will attempt to build a prototype of a 
microprocessor based controller solely on the hardware and 
software descriptions generated from CSDL using the 2-80 


beabization library. 
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Ii. BACKGROUND 


Ae CODL 

The CSDL concept is based on a design language proposed 
PeeeieN- Matelan [Ref. 7), Livermore Laboratory, in 1976. in 
his design, Matelan envisioned a design environment in which 
Bie waser provides a description of a system using an input 
language. The design environment would then produce a 
MmrecopErOocessor based prototype. In 1978, LTC Alan Ross 
[Ref. 8] further developed this concept and added the ability 
to build miltiprocessor based systems as well. This new 
language, designated Control System Design Language (CSDL), 
maps user defined contingency-task pairs to a "realization 
library" containing the software and hardware primitives 
(much like a compiler) to produce a program and hardware 
listing. To date, the primary use of CSDL has been in the 
development of prototypes of real-time controllers. This 
System can be extended to a much broader class of problems 
by incorporating the appropriate realization library. 

CSDL is divided into five sections. The Identification 
Seemtom Contains a brier description of the control problem 
under consideration, the designer's name, the version or 
MmeeratiOn MUumber, reviSion infOrmation and other remarks. 
This section identifies and documents the design, but does 


WeempGtewiae any iIntOrmation to the design system. 


as 





The Design Criteria Section provides the designer with a 
procedure to prioritize the choice of an implementation 
basec on cost or power consumed or to select the first 
realization generated. This is the only section in which 
Piescestgner has any inpit to CSDL concerning the choices of 
hardware or software primitives it will make in generating a 
system. 

The Environment Section contains a declaration of all 
design variables. These design variables are defined in 
terms of the type of signal(s) generated or sensed (ie. TTL, 
Pet, ctc.), type Of arithmetic, precision and coding (ASCII, 
EBCDIC or BCD). This section is analagous to the declaration 
Statements in PL/I or Pascal. 

The Contingency Section contains declarations of those 
conditions that the device must respond to, the associated 
Mroceenat Mist be executed for each contingency, and the 
time constraints imposed upon each contingency-task pair. 

The timing constraints are determined by the maximum time 
allowed to recognize a contingency and the maximum time 
available to execute the corresponding response. Conditions 
Mamae Constructs such aS if-then, do-wnhile, and repeat-until. 

The Procedures Section contains the routines which 
Mplwemena Contingencies and tasks. By definition, contin- 
gencies are written as functions, while tasks are specified 
femeeecedures. Each routine contains the high level language 
descriptions necessary for the performance of its role in 


tne system being produced. 
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B. DESIGN ENVIRONMENT 
1. Overview 

Once the designer completes the CSDL description of 
Dieeeeoblem, it can be processed through the design 
environment. Figure 1 shows a block diagram of the design 
environment. The user interface is through the CSDL 
description. Once entered into the system the CSDL descrip- 
tion is decomposed into various symbol tables by the 
translator. The functional mapper maps each contingency- 
task pair to a set of primitives from the primitive library 
and analyzes the timing requirements. If the primitive 
chosen from the library meets the timing requirements, the 
process continues until the contingency-task list is 
exhausted. A monitor is then generated which will poll 
through each contingency within the time limits specified in 
the Contingency Section of the CSDL description. A final 
timing check is made to determined if the total system falls 
within the timing parameters set forth in the description. 
Software and hardware listings are generated as output, 
complete with an executive to drive the prototype. If the 
timing parameters cannot be met or a primitive cannot be 
matched in the library, the process aborts and attempts to 
use another realization library if one is available. fThere 
are realization libraries currently available for the Intel 
8080 and the Zilog 2-80 processors and one under development 


for the Intel 8086. 


he 
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Figure 1 Current CSDL Design Environment 
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2. Functional Mapper 

The Functional Mapper is the first module called by 
Biemdeston environment in its current configuration. Its 
main function is to map each primitive in the problem 
description (procedure section translated to a primitive 
listing) to a primitive in the realization library. The 
realization volume index is first searched for the primitive 
name from the current line in the primitive listing. The 
Specifications within the primitive are compared with those 
found in the realization library. The criteria must match 
exactly or the design environment will abort the current 
design run and generate an error message. The output from 
the Functional Mapper is the FORO21.DAT file which is the 
Current Realization Table discussed in Ross's thesis. [Ref. 
9: pp. 65-90] 

foe liming Analyser 

The next module to be executed is the Timing Analyser. 
Has medule generates the monitor instructions to ensure 
that the implementation will meet the timing requirements 
Beeeimethe CSDL description. Since this monitor is a polled 
loop, this module assumed worst case conditions and assumed 
that all contingencies will be true and that their associated 
tasks are performed. The timing analyser calculates the 
length of time required to perform each SOneE ngency=task 
pair and compares this time with the time contained in the 


IADEFL file. This file is generated by the designer along 


ibe 





Meeeete Coll, Gescription in the current version of CSDL 
but will be developed from the CSDL description when the 
Beemcrator module 1s complete. The IADEFL specifies the 
Pees Ot time (milliseconds, microseconds, etc.), the total 
Peutoe of time allowed for the contingency task pair, the 
time allowed for the contingency and task as separate 
eructural units, the time for a timed block within the 
meme lim@eenrcy, the time for a timed block within a task and a 
Flag to indicate a background task with no specified time 
requirements. It should be stressed that the times listed 
in the IADEFL are maximum times and cannot be used to 
define events which require precise time intervals. 

Tie CuEput Of this modulle 1s a set of monitor 
primitives which are appended to the primitive list provided 
by the designer. The current version of the design 
Sm7eeenmen=. will support dual processor realizations if the 
timing requirements cannot be met with a single processor. 
The contingency-task pairs are divided among the two 
processors and separate monitors provided for each processor. 
This process can be forced by the designer if the time 
required to process each contingency-task pair is known. 
Eeemwtiming Darameters listed in the IADEFL can then he set 
weaeetercahiy hich, forcing the design environment to 


generate a dual processor implementation. 
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4. Formatter Module 

The Formatter requires the primitive list, complete 
with the monitor, and the current application timing table 
from the Timing Analyzer. It then sequentially processes 
Etemecaw primitive listing and uses the line numbers 
BgeGdtea in the application timing table as guides to enter 
the realization volume to extract the programming code from 
each primitive. The software and hardware listings are 
Output to two separate files, FORO46.DAT for software and 
FOROQ47.DAT for hardware. The formatter is also responsible 
Eermoericting the “raw” primitive listing into two separate 
software listings if a dual processor implementation is 


generated. The design process is then terminated. 


ee Fe ALIL ZATION LIBRARY 

Next to the actual design environment itself, the 
most important files in this system are the realization 
Meemaetes, Fach realization library contains the primitives 
necessary to implement all mathematical functions, all 
conditional testing, all logic functions and all hardware 
requirements for each software primitive for each 
feroprocessor type {ie. Zilog 280, Intel 8080, etc.). 
There are currently two volumes written, one for the Intel 
wieemoapieanad ome for the Zilog 2-80 family. An additional 
library is under development for the Intel 8086 cpu. 

The general format for each primitive is the same 


ana must be stored as 80 column card images. The first 5 
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columns in each line serve as line numbers and are used for 
indexing by the design environment. The index to the 
realization volume resides in the first few lines of the 
realization volume and contains reproductions of the first 
line in each primitive. Their respective line numbers are 
retained and serve as pointers to each primitive in the 
Plow Each realization library is limited to 9999 lines 
(the index is considered in the line count when the number 
Of lines in a library is calculated). 

Mies abeaten specific formats which are recognized 
by the design environment: Primitive Title line, Comment 
mene Calc line, Attr line, Call line, Include line, If 
memes 5eG1in Text line, End Text line, and Text line. The 
fee Line must contain an s or h (in lower case), to 
denote hardware or software, followed by the name of the 
primitive. The calling arguments, selection criteria, and 
attributes of the primitive are enclosed in parentheses 
Following its name. The attributes are used to specify 
power consumption, latency and chips used. Attributes are 
unique for each primitive. Any or all of the attributes may 
be omitted but the commas that separate them must appear. 
The comment line is denoted by COM as the first characters 
of a line. The design environment ignores these lines and 
a= =orecuce nO Output. They are there to help document the 
meg@emwienin the primitive. The Calc line allows the use of 


global variables within the system. An example of the use 
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of this variable is the ROM oneee which is used to keep 
eeack Or the next address available in the controller's 
memory. The Calc line calculates the next position in 
memory based on the start location it receives from GLOBALS. 
Biewreer line 15 used to calculate a value for an attribute 
which depends on the arguments passed to the primitive. Incl 
Ppemecaliy lines are used to invoke other primitives from 
within a primitive. The difference between the two is that 
the output from a Call is inserted immediately following any 
previously generated output, the output from an Incl 
statement will be added to that of the primitive list after 
meweeier Output from the including primitive has been 
produced. The If line provides a mechanism for the 
meaicoming Of instructions within the realization library. 
The Begin and End Text lines are used to mark the beginning 
pmoemencging point of the code that is to be included as 
output from the design environment. The construction of 
primitives involves a detailed understanding of the 
assembly language for the particular microprocessor in use. 
Fach Primitive will vary in length depending on the 
eempleontty Of the task it 1s required to perform. Figure 2 
is an example of the s.add primitive from the current 2-80 
iepmesyeauthored by Smith [Ref. 10: pp. 60-103]. The 
methodology involved in constructing a primitive listing is 
discussed by both Ross and Smith and will not be discussed 


in this thesis. 
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fbaios.add (rslit,argl,arg2;0,16,0,16,0,16: 

ee ly 2, oo bei6, 195) 
vO1l8/7com primitive to add argl and arg2 and store in rslt 
v0188com ieee yard nema sereciSions:s,2,e.c,i,adar 
v0O189 begin stext 
peeooid mil, {(<argl>);6m 20¢ 45 load tec) einen elena 1 1 
Weewwela bec, {(<arg2>);6m 20€ 4b load argZ. dager Salt 
modozZzadd hl, be oc ecdigiiic.. | jvemmmarsvele | 
pee ta  (<rsit>),hl:6m 20. 4b save result 
v0194endtext 


v0O195calc romptr=romptr+13 


Figure 2 S.ADD Primitive 


The current version of the design environment has 
not implemented the translator or the library updater listed 
in Figure 1. There are two thesis projects under way which 
will provide a compiler and a user friendly front end to 
Meovtade all the functions of the translator. The lack of a 
translator requires that any CSDL description processed by 
the design environment be hand compiled (create the 
primitive listing) before submission to the design 


environment. 
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Ds Bey fOUS PROJECTS 

In addition to the examples processed by Ross in his 
dissertation, two other thesis projects have used CSDL as a 
Seeegm cool. Pollock [Ref. 10} attempted to construct a 
microprocessor based fuel injection controller for a Datsun 
280Z. He was not successful but did add numerous hardware 
ema SOLtware primitives to the existing 8080 library to 
enable floating point operations and trancendental 
functions. He pointed out the need for a debugging tool to 
allow dynamic debugging of the system as well as the need to 
provide a structure to block code into groups. The present 
implementation of CSDL provides a polled monitor which will 
not break the monitor cycle into dependent mocules. 
Dependent tasks must be nested within each contingency to 
ensure that they are completed. Pollock's primary 
Memebioucion was the creation of a utility to format the 
realization library and make its construction easier. [Ref. 11] 

Heilstedt [Ref. 12] expanded the horizons of possible 
Meplrtecations by using CSDL to design digital filters based 
on the 8080 library. Heilstedt implemented the CSDL design 
pivecenment on a Digital Equipment VAX 11/780 by converting 
a version of the design environment he received from 
beweence Livermore Laboratories, and to date, a complete 
weidation Of this program has not been done. Conversion 
problems were encountered which kept realizations from 


being generated when they were, in fact feasible. These 
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errors were caused by incompatibilities between the Livermore 
computer and the VAX used at the Naval Postgraduate School. 
heewas impossible to fully exercise all branches of the 


design environment so some errors may still exist within 





the rarely used subroutines of the deSign environment. He 
did however, show that CSDL can be used to support devices 


other than microprocessor based controllers. 
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III. DESIGN 


A microprocessor based digital controller may be 
regarded as a programmable electronic device which processes 
instructions in a sequential manner, senses signals from its 
environment and issues signals to affect (control) its 
environment. The environment consists of a set of electronic 
(analog and digital) devices or mechanical devices with 
appropriate interfaces. Microprocessor based controllers 
can be used to replace digital controllers based on 
discrete logic gates and offer the advantage of easily 
Pmeamarmmeae the logic driving the controller. Digital con- 
trollers using discrete components are "programmed" during 
the design phase when interconnections are designated 
between atomic parts. Reprogramming is difficult due to the 
many wiring changes that are required. In some instances, 
Semerollers can be designed with discrete components and a 
plug board arrangement included to provide some limited 
puegeatming. the result of using discrete components is a 
very limited ability to reprogram. For prototypes, the 
Peomlaeyeto change the logic driving the controller is an 
extremely attractive concept as the behavior of the 
controller can be changed without having to rewire the 


PeocOuype. 


> 
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Peeveees using CSDL in the past have howe the ability 
of the language to define microprocessor based controllers. 
They have not shown that the design environment can produce 
@ working prototype controller. All projects attempted thus 
far have relied on using separate, discrete components in 
the definition of hardware requirements within the realiza- 
em itbrary thus increasing the scope and difficulty of 
a Given project. To reduce the complexity of this effort, 
the Prolog Standard Bus development system was chosen as 
the target machine [{Ref. 13]. This development system 
@etisists Of a card cage, power supply, 2-80 cpu card, 
keyboard card with a 20 key keypad, an alvohanumeric readout 
with 8 light emitting diodes, and a dual UART using the 
standard RS=-232 iweercaces. The Z-80 realization library is 
constructed using the development system components (cards 
and cardcage) rather than discrete components. The Prolog 
system was chosen because of the local support available 
(Prolog systems are manufactured in Monterey) and the 
existence of several Prolog systems in the Electrical 
Engineering Department. 

Pollock recognized that one might have problems in 
testing any design built from the CSDL design system ana 
Provided primitives to allow the setting of break points 
within software and a terminal connected to an RS-232 
ieiemeeace built anto the controller. None of these 


orimitives were tested in an actual implementation. LCDR 
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Stephen Hughes [Ref. 14], in a Naval Postgraduate School 
master's thesis, designed a software package which enables 
an Altos 8 bit microcomputer to communicate with the Prolog 
Severopment system through a dual channel RS-232 port. One 
port connects to the Altos which acts as a host terminal and 
provides uploading and downloading of programs from the 
pomees Memory Or disk drives. A second port provides a 
connection for an ADM-3A terminal which vrovides a means to 
control the Prolog system when disconnected from the Altos. 
Hughes developed a PROM that enables the use of standard 
CP/M BIOS calls for input/output to the Prolog system. The 
utilization of a CP/M like operating system allows the use 
Of several debugging aids like ZSID and DDT on software 
before it 1S downloaded to the Prolog. This feature proved 
to be extremely useful as this project developed. 

Debugging in the CP/M environment is easily done using 
standard debugging software tools. A tool or set of tools 
1s required to allow debugging on the target machine as 
well. The PROM developed by LCDR Hughes, installed on the 
Z-80 card, acts as a primitive monitor program for the 
Prolog system and provides functions for dumping memory, 
calls to the BIOS, changing values in memory and filling 
Peetenmerot Memory with specific bytes. The example chosen 
to demonstrate the design environment's ability to design 
Pemerng controllers is based on the engine start sequence 


used in the Lockheed P-3 Antisubmarine Warfare aircraft. 
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jhe P-3 uses an Allison T-56 series gas turbine engine. For 
the purposes of demonstration the full T-56 implementation 
weil not be discussed as it would add unnecessary complexity; 
a generic gas turbine engine will be described and used as 
the target. A complete discussion of the physics envolved 
Mimeeie get cycle will be avoided and only the most salient 
Pornts given. 

Miemoseart COneroller is based on a “generic” axial flow 
gas turbine engine. The engine superficially resembles a 
T56-A-10 as used on Lockheed P-3A aircraft. During engine 
starts, the pilots and flight engineer are required to 
monitor numerous gauges widely spread apart in the cockpit. 
The chance of error in rapidly reading these gauges during 
the start sequence is high and increases with crew fatique. 

Miyewcockpit Of the P=-3 aircraft is configured such that 
the pilots sit on either side of a center pedestal which is 
approximately 30 inches wide. The flight engineer (the 
person who actually verforms the engine start) sits 
immediately behind the pedestal. The vorimary engine 
instrumentation is located on a vertical dash panel in front 
of the pedestal. The view for all cockvit personnel is 
unobstructed to these instruments which include a Shaft 
Horsepower gauge, an RPM indicator, Fuel Flow indicator and 
titaeanme Inlet Temeerature indicator for each of four 
engines. The starter panel is located above the flight 


engineer on a overhead panel which is difficult for the 
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pilots to see. It contains the start selector switch oa 
starter button. Additional instrumentation is located hove 
the copilots seat on the right side of the aircraft and 
includes oil pressure and oil temeprature Gaeaee Other 
Gauges on the overhead panel include bleed air pressure (air 
pressure 1S used to turn the starter on the P-3 engines), 
Paemmusce! taneous indicator lights which will not be 
aeseribed as they are not within the scope of this project. 

The basic start sequence is done entirely by the flight 
Egeemeer Dut is monitored by both pilots. Due to the 
distance and viewing angles of the instruments, errors are 
likely to occur causing unnecessary shutdowns and delays in 
departure. These same instruments are used when restarting 
am @ngine in flight and the cost of errors in this 
environment pose a potential threat to flight safety. 

Once the apovropriate checklists and vre-start briefings 
are completed, the pilot in command directs the flight 
engineer to start the engines (or engine). The flight 
engineer first sets up the bleed air panel to allow high 
pressure air to reach the start selector valve. The fuel 
and ignition switch is placed in the "on" position to allow 
fuel to reach the combustion chambers and the ignitors to 
operate when sequenced by the speed sense control. An 
engine is selected with the start selector switch and the 
starter button pushed. This allows high pressure air to 


Pieimertme starter. As the engine accelerates, the RPM 
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PiemeaeOr 1S scanned by the cockpit crew. At 16 percent of 
feommae REM there must be indication of fuel flow and 
peooelizeaitigh pressure air to the starter. Oil pressure 
poem iileshoulad be rising aS ignition occurs in the burner 
cans causing the engine to rapidly accelerate toward a low 
RPM setting of a 72 percent of normal RPM. MVeeStaGe is 
considered complete when the engine reaches a stable low RPM 
condition with the start valve closed, air pressure returns 
SO approximately 60 pounds and the ignitors are off. 

The engine consists of three main sections: 1. compressor 
Seammuenerc. COMmbUSELON Section and 3. turbine section. Air 
enters the compressor section and is compressed by a factor 
of 9.5:1. This increases the air density and raises its 
temperature 547 degrees above ambient. This highly com- 
pressed air enters the combustion chamber where fuel is 
impeemed and ignited by ignitors during the start sequence. 
The process of ignition is self-sustaining once the 
nmeeercedight the fuel/air mixture. The hot gases 
produced in the bombustion section pass to the turbine 
section where energy is extracted to turn the propeller, 
compressor and accessories (fuel control, pumps etc.). 

During the start sequence readings are taken from the 
following gauges: fuel pressure, rpm, TIT (Turbine inlet 
temperature), oil pressure and clock. Figure 3 contains a 


elmmeaiy Of sensors for the start controller. 
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exgnals Signal Type Allowable Limits 


1. Fuel Flow Analog 00-2000 lb/hr 
2. TIT Analog Vai Z200mdes cent. 
fe Lemitors Digital on-off 
fe 6©O1l Pressure Analog U=10G 1 bs7 somrneh 
oa RP Analog 0-120 
fee stake Switch Digital on-off 
7. Fire Sensor Digital on-off 
Pecure 3  Stant Ceneroliller Signal Summary 

There are eight start malfunctions which can occur and 

require immediate shutdown to avoid engine damage. They are 


a turbine inlet temperature overtemp, stalled start, fire, 
low oil pressure, engine overspeed, no ignition, stagnated 
Seieeradna ITGnitors on after start. A fire condition requires 
the activation of the fire extinguishers in addition toa 
normal shutdown. Malfunctions used in this problem and the 
Signals that will be used are summarized in Figure 4. These 
malfuncations are described in more detail in the following 


chapter. 
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Malfunction 


i over Lemp 
Srearied Start 


Fire 
Low Oil press 


Overspeed 
Ney ignition 


Stagnated Start 


fie tors On 
deter Start 


Figure 4 


Action (output) 


Shutdown 
Shutdown 


Shutdown/Activate 
fire extinguishers 
Shutdown 
Shutdown 
Shutdown 


Shutdown 


Shutdown 


Malfunction Summary 


2 


Sensed From 


Pie oOdeq 
RPM stabler at 
<60% 


Fire sensor 
Oil pressure 
RPM > 74% 
(A¢GnitTeOmSron 
and. Lips 200) 
and RPM>16% 
(PRM Stable 

< 60%) and 
TIT > 760 deg 
(RPM > 65%) and 
LEmeseors on 





IV. DETAILED DESIGN 


The actual design of a microprocessor-based controller 
using the CSDL design system starts with the conversion of 
the problem description into the Computer System Design 
Language representation. The syntax of the language is 
defined in Appendix A of Ross's doctoral dissertation 
Sete o- ©. A-l, A~7J. Chapter III of this paper describes 
the problem that this chapter will be used as an example 
design. 

Figure 5 is a flow chart of the engine start controller. 
Pemeotmeists Of an initialization block to initialize all 
VMactdables within the controller. At this point in the 
design process, the designer probably will not have an 
accurate picture of all variables required to express the 
Meeerenee if the initialization block is not required it can 
be removed at the end of the design process. Initialization 
will generally consist of setting clocks or test parameters 
Peet ne Controller. After the initialization block a test 
to determine if the start switch has been pushed is performed. 
If the start switch has not been pushed the program loops 
back and continues the test until the start switch has been 
peemeae After the start button has been pushed, the monitor 
Vulbeemove on to the next contingency test in the sequence, 


Zeieoaielas a polling loop as a monitor so the tests are 
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arranged in a loop with a test (contingency) for each 
malfunction listed in a sequential manner. There are only 
two tasks to perform in this implementation, an engine 
shutdown or an engine shutdown with fire extinguisher 
activation. When a test fails, the flow of control passes 
to the next test in the sequence in an endless loop. 
Pentingencies are tested until the engine start sequence 
mmceomplete Or until a malfunction occurs. When a mal- 
Mineeton Occurs, a contingency test will be true and the 
associated task will be executed leading to an abnormal 
Shutdown. At the end of the start sequence, mechanical 
gevices trip an electrical switch which releases a 
solenoid within the start switch causing the start switch 
mom Pop and disconnect the start controller. With the 
completion of a systems flow chart, the designer should have 
a good understanding of what functions the controller is 
expected to perform and the types of signals are available 
for processing. The designer can then begin work on the 
generation of a CSDL representation of the problem. 

The Identification section of the CSDL listing contains 
the designer's name, date of creation and vroject name. 
Simece some form of version control is required for any 
project, a version number can be appended to the project 
name with no affect on the design environment. For this 


peeeilem, the Identification section appears in Figure 6. 
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IDENTIFICATION 
Designer: Richard Riley 
Saeowe Noy 83 
Peeiece se otarte Controller = Version “1.4 


Pigues 6 (Tdentitication Section 


The Design Criteria section is the only section in which 
the designer can choose (to a limited degree at least) how 
eae COntroller is to be built. In this design the metric 
Parameter is listed as "first" to force the use of the first 
implementation generated. The design environment is capable 
of producing more than one implementation with the use of 
multiple realization libraries. We are using only one 
library, the Z-80, so this parameter is listed as "first". 
The volume parameter indicates the rankings (order) of the 
realization volumes for the design environment to use. In 
this case there are two volumes available, the 8080 and the 
Z~80, but only one will be used and the volume parameter is 
Eero one. The monitor parameter is used to select the 
monitor strategy to use. So far, the design environment 
only supports a polled monitor and thus this parameter 1s 
also set to one. In future versions, the design environment 


waeesupport ah interrupt driven monitor and the design 
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criteria parameter can be used to choose the desired strategy. 


mgesDesign Criteria section for this problem appears in 


Baeure 7. 


Design Criteria Section 


Metric = First ; 
Volumes = 1 : 
Memttors = 1 - 


Figure 7 Design Criteria Section 


The Environment section contains a description of the 
variables required by the controller to keep track of the 
Signals it receives, test them and ultimately produce some 
sort of output. Since output signals must be generated 
from any controller, it makes sense to define them first, 
Getermine what input signals are required to make decisions 
and generate the output signals and finally to define the 
temporary variables (Arithmetic in CSDL terms) for use 
internally by the controller. These signals must be 
@esenibea by name, bit size, and signal type (TTL, RTL 
SiC) 

Emenee are basically two types of output signals used by 
maeeseoroject, shutdown and fire extinguishing. For testing 


purposes, shutdown signals are designated for each type of 
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—. 


malfunction. In an actual design only one shutdown signal 
Bemlce se defined. From the flow chart in Figure 5 it can 
be seen that eight shutdown signals are defined. Since the 
object of this signal is to set a switch to deactivate the 
meebe sequence we need only define a single bit for testing 
purposes. For compatibility with the Prolog system input/ 
output channels, all signals types for this controller will 
be defined as TTL. 

The input signals needed from the engine are RPM, oil 
pressure, ignitor switch on-or-off indication, eee Switch 
on-or-off indication, turbine inlet temperature (TIT) and 
fire sensor indication on-or-off. Additionally a reset 
Signal has been added to aid in resetting the controller for 
testing purvoses. In an actual implementation this signal 
would be excluded and the initialization sequence started 
when power is applied to the engine with a start selector 
Switch. 

Hiesinternal signals required for this controller are a 
clock signal for elapsed time and a flag for the stagnated 
Peamenecontingency. CSDL does not support a contingency 
which requires a precise elapsed time. Timing constraints 
given in the problem are used to build the monitor and to 
define the maximum time allowed between each contingency. 
iiemeecalizgation library contains a clock primitive which 
uses the counter-timer chip on the 2-80 card in the Prolog 


system. This signal is generated internal to the Prolog and 
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momocetined in the arithmetic section. The stagnated start 
flag 1s a variable and is not sensed from the environment 
and thus must be defined within the arithmetic section as 
well. 

The complete Environment section for this problem 


appears in Figure 8. 


Environment 

Pnpwe : 
Pe ot ne, Pe reeSense, piri. ; 
CMevGes, 7 sole = iont tor, ftL > TIT, 16, TLE. - 
Beant: Owltch,1),TTL 3 REE tao wll cehinel inne 

Olclie eybha 
Done nobel. lil, + SD3,1,TTL. > SDa5ek, Dine. 
Swope eel. Spo ,ls TTL. .s SID 7 padi eee ee) Coded eee 
bisee Ext, 1, TTL > 

Arithmetic: 
Glee 6, lL STAGCELG, 1, TTL. ° 


Figure 8 Environment Section 


The Contingency section contains the timing requirements 
mer cach contingency/task pair. This section is built from 
the flow chart by using the diamonds as the contingency and 
the associated process box, in this case a shutdown or a 
shutdown and a fire extinguisher activation, as the task to 
be accomplished. The timing listed in this section 
determines how the design environment will construct the 
monitor and is used to determine if a feasible implementation 
can be constructed by adding up the times accumulated from 
the primitive list and comparing the sum to the times 


accumulated from the contingency list. 
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ie first cont ingency/task Baan encoun tesca el nema s 
implementation is the test for a reset switch. Its 
associated task is to perform an initialization of the 
shutdown variables, clock, reset switch and to sense the 
start switch. An arbitrary time value of 100 milliseconds 
Bec chosen. The CSDL construct used for this example is 
the When-Do which will perform the task when the contingency 
ms true (when the reset switch is pressed do the initializa- 
e@om task). in the CSDL syntax it appears as: 

CONTINGENCY 

mene Reset Switch (100ms) do INIT; 

The next contingency to be developed is for the clock. 
As mentioned above a primitive exits to perform the clock 
Function but the timing is not supported by the design 
environment. The purpose of the clock is to keep track of 
time, and it must run for at least 1 minute - the maximum 
time a start will be allowed to continue if the RPM has not 
reached 72 percent of normal RPM. The clock must be 
initialized and the time accumulated in a variable to allow 
the stalled start and stagnated start contingencies to 
meervate Jf mecessary. The time 1S updated every second so 
eyewcOncingency must be timed at 1000 milliseconds. The task 
mmmpenis case 1S the clock function and there 1s really no 
contingency to test as we simply want to perform the clock 
function. The dummy contingency "every" is used in this 
case to keep the contingency/task pairing intact. The CSDL 


representation is: 
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eveuy (1000ms) do clock: 


The next contingency is the turbine inlet temperature 
Beeeevit) test. Once again this contingency task pair will 
Mee the “every” form to force the monitor to execute this 
task a minimum of every 100ms. In fact all the remaining 
mests Will use the now familiar “every" form with a test 
Peeled Or no greater than 100ms. The stalled start task 
(stalstr) tests whether the engine has accelerated beyond 
emo eeeceme OL normal rom within 60 seconds. The fire task 
determines whether any of the fire sensors attached to the 
engine has shorted indicating a fire is present. The low 
Oil pressure task (lowoil) determines if sufficient oil 
pressure is present in the engine to continue with the start 
sequence. The overspeed (ovrsod) task determines if the 
engine is accelerating beyond 74 percent of normal rpm 
indicating a failure of the engine speed governing system. 
The no ignition task (noign) determines whether the ignition 
has taken place by testing for rmp greater than 16 percent 
of normal and tit greater than ambient. The stagnated start 
(stagstr) task terminates the start sequence when rpm is 
less than 65 percent of normal and the tit is greater than 
760 degrees. This condition will generally occur within the 
Rift EOtty Sseconas Of the start and a clock value of Eorty 
Seeenus 1s included in the test. The ignition after start 
mereeetermined whether the ingitors have shut off after the 


engine has started by sensing rpm greater than 65 percent of 
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normal and the ingitors switch in the on position. The 


Semelete contingency list appears in Figure 9. 


Contingency: 

mnem Reset Switch (0@ms) do INIT ; 
mercy (1lL00Q0ms) do CLOCK ; 
Every (100ms) do TIT OVR ; 
Every (100ms) do STALSTR ; 
Bvyery (100ms) do FIRE ; 
Buemy es (1 00ms) do LOWOIL ; 
Every (100ms) do OVRSPD ; 
Every (100ms) do NOIGN ; 
Every (100ms) do STAGSTR ; 
Every (100ms) do IGNAFTR ; 


Figure 9 Contingency Section 


The Procedure section contains the contingencies and 
tasks to be performed when called upon by the monitor. The 
contingencies and tasks listed here form the logic by which 
the behavior of the controller is determined and is the 
portion where the most creativity on the designer's part is 
required. 

The first functional element in the procedure section is 
Miemeuneeton Reset Switch. its only function is to sense 
the position of the reset switch and set a flag which will 
be tested by other functions and tasks in the procedure 
section. It is developed using the IF-THEN construct from 
Pepemorx A in Ross's thesis. [Ref. 14: p. A-3] In this 


construct a condition is tested by the IF and if true the 
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task after the THEN is executed. In each functional element 
a SENSE command is used to sense the variable in question. 
It may exist in a memroy location developed by the design 
environment or it may be taken from an IMput/OCUCcpUG spore 
known to the design environment. In either case the 
designer is only responsible for designating its existence, 
the design environment works out the details of where to 


miaceeae-. The function for Reset Switch appears in Figure 10. 


Pitemlon Reset Switch; 
ieeresee = | then Reset Switch = 1: 
ELSE Reset Switch = 0 ; 
END IF; 7 
Pitemneset Switch ; 


Figure 10 Reset Switch Function 


The next functional element is a task to perform the 
initialization of variables. This task is fairly simple and 
consists mainly of assignment statements. At the end it 
senses the position of the start switch and sets the reset 
switch variable back to zero to avoid reinitializing the 
variable during subsequent processing. The structure of 


enas task 1s: 
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hask INiT: 
CLOCK 


Su 
SD 
Soo 
SD4 
SD5 
SD6 
SD 
SD8 
SD9 


INS Se 


il 
OO OO OO @ OQ Oe 


low Weal 


1 


ce 


* =e =e =e =e 6" e =e =e “Se 


, 


Seek — eee 
Sense Seat now Peon : 


Figure 11 Task INIT 


iiemelo@ck function is Simulated by using a simple 


Seumter which increments the value of the clock at one 


second intervals. 


The IF-THEN construct 1s used to test the 


aeeemowl teh OOSition. If it 1S in the start position 


fee) tne clock will start counting from zero. The 


@emseruct for the clock function appears in Figure 12. 


penierTON. CLOCK: 
feo Switch THEN 


Ene Lf ; 
END CLOCK; 


CEOCK=CLOCK + ft; 


Piciieom! 2 runcErTon CLOCK 
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The turbine inlet temperature overtemp function uses the 
ie tEaaN construct to test the value of the tit against a 
Genstant of /60. When the tit is greater than 760 a shutdown 
condition exists and the controller will initiate a shutdown. 


Mite task defined for titovr is given in Figure 13. 


Task TITOVR: 
IF Seo rer then 
sense (TIT) ; 
tet its>= 760 THEN SDI =1 ; 
ISSUE SDI; 
BND Sir 
END LE; 
Bb TITOVR; 


megure 13 Task TILTOvVReR 


The task for stalled start follows the same general 
format as the previously detailed structures in the 
Procedure section. The only difference is the use of a 
boolean operation (and) within the IF-THEN construct to test 
for two conditions to execute a shutdown sequence. The task 


BOGroltALSTR apbears in Figure 14. 


TASK STALSTR 
Paeocar ct owhteh, THEN 
Sense (RPM) ; 
EF €LOC Kean GO)mand. RPMa<— (60) 
THEN SD2 = 1 ; 
PN aeler 
ISSUE SD2 ; 
EN br 
END STALSTR; 


Figure 14 Task STALSTR 
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By now a pattern should be apparent. The IF-THEN 
construct has been used heavily in this example to provide a 
means to test conditions before executing a shutdown 
sequence. This simple construct is used in all eight 
iaerunetions that this controller will test for. A complete 
mesting Of the CSDL description appears in Appendix A. 

Premmodudarization of the monitor would allow the 
SeeaeioOn Of an initialization module to initialize all 
fwaetdoles, a start module, a run module to actually carry 
out the control desired and a reset module to restart the 
controller in the event of a failure (power fault, restart 
aeeer some malfunction, etc.) This concept of modulariza- 
tion is not supported in the present implementation of CSDL. 
Although we thought this idea could be support through a 
series of primitives in the realization library, attempts 
to construct primitives to perform this function proved 
mauilchess . 

Once a CSDL representation of the design problem is 
generated the Environment, Contingency and Procedure 
sections must be converted into a primitive listing. The 
present design environment does not include a compiler, so 
fomerne time being, the CSDL description must be hand 
@emetled. Most of the frustration with this project was a 
meosuie OL EhilS process. 

Mien priameeave listang should be viewed as an assembly 


language program with the primitive names or titles being 
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the instruction set. The code that comprises each 
individual primitive is analagous to microcode. This view 
6f the primitive list allows for an easier transition into 
the world of hand compiling. When code is compiled using an 
automated compiler certain rules for syntax must be followed 
Semtene COmpiler can properly choose the correct code to use. 
tiemenand compiling, no such rules exist and it becomes a 
more creative process as a result. 

The syntax used within the CSDL description in Appendix 
A is the result of work being performed by LCDR Hill Carson 
mmecOnjunetion with the CSDL project. LCDR Carson has 
formalized the CSDL syntax and is in the process of writing 
a syntax directed compiler for the computer system design 
language. When completed it will take a CSDL description 
and compile a primitive listing which can be directly input 
to the design environment. 

The primitive listing is one of two files the designer 
must input to the design environment. A few words of 
Caution are in order at this point. The design environment 
resides in a file called NEWCSCL on the VAX under the VMS 
operating system. NEWCSDL is written in FORTRAN and is 
highly column dependent. The primitives in the primitive 
meoting Start in card column 6 with a lower case "s" or “t". 
NEWCSDL will not process uppercase letters so all references 
to primitives and variables must be in lower case. All 


names for varialbes must be less than 6 characters long; 
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names for procedures may be up to 10 characters long. There 
are essentially two primitive formats to be concerned with. 
mee =. Generated for:<title>" is a title line and informs 
NEWCSDL that a new procedure is being generated. The "t”" 


eee appear in column 6 and the first letter of the title in 


Serum 23. The other format is for the "s.primname 
Meenas cs selection information)" primitive. The “Ss” must 
meeeaegeis Column 6 and the "(" in column 18. An improper 


line error will result if these column dependencies are not 
recognized. 

The CSDL description does not contain the data to make 
Pie calls to the primitives that generate a monitor for the 
controller. The first two primitives listed in every 
primitive list must be: 


t.generated FO :system KeKRKKKKKKKEKKKRKEKKKKEKE 
S.main hiscuces) 


The "t.generated for" is a title line which will name the 
contingency "system" and "S.main" is the task to build the 
monitor. Note the colons in the S.main primitive. These 
must appear in every primitive. The colons are used to 
separate variables, parameters and attributes of the 
Eeimreavye. if these values are null, the colons must still 
appear or an “improper line" error will result. The stars 
meepedenwena Of the “t.generated for” are used as markers to 
aid in reading the primitive listing and have no effect on 


NEWCSDL. 
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Maen 1¢entifier defined in the ee section will 
need to be defined as a variable or one of two types of 
constants. Variables are assigned to high memory locations 
Just below the stack area. Constants are assigned in low 
megery. ine “S.initialcons" and "sS.initialend" primitives 
were built to allow code which only needed to be executed 
once at the beginning of a program to be blocked together. 
In an initial run of a test program, attempts were made to 
use these primitives to "block" the initialization of 
variables and constants. The end result is that the 
variables appear in the assembled Z-80 code as variables but 
when the program is executed, the computer interprets these 
memory locations as instructions leading to disastrous 
results. This example is compiled uSing "S.initialcons" and 
Poeiniteialend” to show the results in the compile code. A 
separate test case is generated in the next chapter to show 
the proper method to declare variables. 

The environment section generally will not include all 
the temporary variables required. As each structure within 
the procedure section is converted to a primitive list, a 
Poaming listing of all temporary variables should be 
Pemeeled. The syntax for the “s.var", “sS.assigncons” and 


Msa.ceons' primitives are listed in Figure 15. 
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S.var (varname: precision) 
S.assigncons (varname,valueassigned:prec,prec) 
S.cons (varname, valueassigned:prec,prec) 


Bogue 15 “Syntax form Variables and Constants 


Mie Precision parameter is listed in bits and is generally 
Meeewees!, 5 Or 16. The "s.var" primitive reserves a 
Pecatiom but assigns no value to that location in memory. 
A variable value can be changed as a result of processing. 
An "sS.asSigncons" primitive has the same function as an 
"S.var" primitive except that an initial value can be 
assigned to the memory location chosen by NEWCSDL. The 
©S.cons" primitive assigns a constant to a memory location 
that cannot be changed during processing. A complete 
listing of the variables in this example can be seen in 
Mependix B. 

The Contingency section is converted into a primitive 
Meseeencg by listing a title line, an "sS.every" and a 
emvar for each entry. The use of the "s.every" primitive 
is peculiar to implementations in which the contingency/task 
is to be performed each time called. The a dummy variable 
eee den(! through 8)" is used for all contingencies except 
Sewer ae? contingency to help distinguish it from the ‘"s.every” 
Baeetive. An example of a primitive list for a contingency 


appears in Figure 16. The 2-80 implementation of the 
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"S.every”" construct does not require the use of the "s.proc" 
Piieiemeche “t.generated for” primitive or the "s.exitproc"” at 
the end. Other procedures may require these two "entry" and 
"exit" primitives. The "s.every" implementation in the 8080 


Jibrary does require the use of the “s.proc" and "s.exitproc". 


ite generated for:reset KEKKKKKEKKEKEKEKKKKKEKKKKKEK 
S.every (reset::) 
S.var (reset::) 
io generated HOC: eoaecn | KEKKKKKEKKKKKKKKKKKEKEEE 
sS.every (eachl::) 
S.var (eachl1:8) 


Figure 16 Example Listing for a Contingency 


The functions and tasks listed in the Procedure section 
of the CSDL listing begin with a t.generated for title line, 
Followed by a "S.proc" (procedure name). The body of the 
procedure is listed and terminated with an "s.exitproc" 
primitive. The creation of an IF-THEN statement uSing 
primitives follows the same pattern one would use in 
generating this structure from assembly language code. The 
First step is to sense the condition or variable to be 
tested. In the Z-80 library this is done with an "s.atod" 
parmreivye (analog to digital converter). This primitive 
will read a port from the analog to digital conversion card 
and record the value found in the variable listed in the 


parameters of the primitive. Once this value is stored it 
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is logically compared (a boolean and, greater than, etc.) 
with a constant (test value). This operation results in a 
flag being set in the 2-80. A conditional jump follows to a 
known location. In this example an "s.jmpf" or "Jump on 
false" is used to jump to the end of the procedure if the 
test fails. This is the general structure used to implement 
the IF-THEN statement throughout the examples given in this 
thesis. An example, using the TITOVR procedure, 1S given 


im Paigure 17. 


t. generated EOD tltewe KREKKKKKKKKKKKKKKKKKEKK 
SHoOmec (Eine ov rs.) 
s.atod (stswt:8) 
s.and (temp2,templ,stswt:8,8,8) 
Se ampt (Gemp2 tities) 
s.atod Elie 6) 
SG V7 (eLECOn, tEeteenD Oo: Oo, O76) 
s.ge Cercilt- eLecom, EemMe4eo, a, 6) 
Symon temo beret |. 8) 
Sour Led (ems ise. 3) 
SaLoc tele) 
Sex Le proc (ELeOvE =) 
Figure 17 TITOVR Procedure Primitive Listing 
Primitives vary in precision. All operations, whether 


numeric or logical must be between values of the same 
precision. There are conversion primitives which will 
convert between 8 and 16 bit values prior to any operation 


and their use is mandatory. 
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One other example procedure will be discussed since it 
meeates tO Lhe use of the clock listing given in Figure 12. 
memene time the primitive list was generated, a new clock 
primitive was written which accessed the counter timer chip 
(ctc) on the Z-80 card within the Prolog system. The 
primitive listing reflects this new clock with a call to the 
new primitive. Since the initialization procedures for the 
clock primitive are internal to the primitive, the designer 
is relieved of the chore. Once set into motion the clock 
feeelbeqenerate a 16 bit number which can be read into a 
variable via the "S.rdtime" primitive. The variable is named 
aS a parameter of the primitive. This value can then be 
manipulated and tested for use as a timer. The STALST 
mecceeure 1S used to illustrate this point. Figure 18 is a 
Mmieaves list for STALST. "S.proc” builds a label in 2-80 
memmac tO Start the procedure block. This label is called 
by the monitor when the contingency test is true. "S.atod" 
meagiomene Start switch position, which will be 1 1f on and QO 
enews. ana logically compares the values of the start 
Switch with a variable called tempol. Templ has a 1 loaded 
[tro 1ts memory location. If the start switch value is l 
Biewesae tempo will be set to 1, if the value of 0 the temp6 
MeMEeecee to 0. "S.jmpf" is a jumpe@on false primitive. It 
will compare the value in temp6 to 1 and jump to the 
Neea-ton defined by "Stal" (to the end of the procedure). 


Dmitecmrecacs thesrpm indication. "S.je" 1s a less than or 
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t.generated memas ta lot KREEKKEKKKKEKKEKKEKKKKK KK KKK KK 
S. proc (stalst:) 

S.atod (stswt:8) 

S.and (temp6é,templ,stswt:8,8,8) 

Sa ympt (temp6,stal:8) 

Sa tod ie a-o) 

s.le (apm ha, bomeon, Gpm: 3,6, oc) 
s.rdtime (elkeeck= 6) 

s.le (elierit cleci,clikcon:3,16,16) 
S.and (temps ;epminee ,olerlt:6,8,39) 
Mea pions (temo7,stal:8) 

s.outled ({temp7:8) 

ey Loc (stal:) 

S.exitproc (stalst:) 


Figure 18 STALST Primitive Listing 


meal EG Ene constant, a lis stored in romrlt, if value of 
PomeiS Greater than the constant, a 0 is stored in rpmrlt. 
The clock ( which has been accumulating time) is read by 

use of the s.rdtime orimitive. This primitive reads the 
clock value and stores it in a variable named by the 
designer in the parameter section. The value of the clock 
Pmt men compared to the constant clkcon. Clkrilt is set to 

1 when the clock value is less than or equal to the constant 
mer Ot! clock 1s greater than the constant. “S.and" 
Mecdeally and the values of clkrit and romrlt and stores a 
bemecteme, 1£ the result of the comparison is a true or a 0 
femtne result if false. "S.jmpf" jumps to the end of the 
primitive when the result of the "s.and" is false. When the 
Peed sic) true a malfunction exists and “s.outled” is used 


=emiiedera led on the Prolog front panel as an indication of 
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eae malfunction. The "s.loc" defines a label at the end of 
the procedure. "S.exitproc" causes the program to jump back 
to the monitor to execute the- next procedure in the polling 
HOOD. 

The complete primitive listing for the example problem 
eames be Seen in Appendix B. The format for entering values 
within the parameter section of each primitive is given in 
meen 2-60 realization library. 

Mie second file the designer must build is the Applica- 
€10n Timing Table or IADEFL. This file is essentially an 
extract of the timing given in the contingency section of 
the CSDL description. The syntax for each line and the 


column locations for each entry of the IADEFL is: 


i 7 18 29 32 
a <num>: contingency name: task name: units: 
SW 42 aw 52 ae 62 67 
rho, betal, beta2, order, pii, gammal, gamma2, 
68 
bckgrd 


Pmmeceisc the time wnit of all application table times 
(ie. "ms" for milliseconds). All values expressed beyond the 
units entry in the IADEFL are integer values representing 
time in the units specified by the units entry. Rho is the 
allowed period of the contingency/task pair, betal is the 
maximum allowed time duration of the contingency, and beta2 
is the maximum time duration of the task. The backround 
epepyeisea flag to indicate that the task is to be treated 
as a backround task with no time period specified. All 


other entries can be left empty with space set aside to 
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maintain column dependencies. Order is the global order of 
BiemeOntingency/task pair, pii is the priority of the 
contingency task pair, gammal is the maximum allowed time 
duration of any timed block in the contingency and gamma2 is 
the maximum allowed duration of any timed block in the task. 


gpes2itste two lines of the IADEFL for this problem are given 


mamcmmexamole in Figure 19. The small "a" tells 
aQOQl:system: :ms ; , DG ee ee ee 
Pere set =initsms:100 ,100 ,100 , , , , ,0 


Figure 19 Example IADEFL 


the design environment that this is an application timing 
table entry. Line numbers are given immediately following 
the "a". The system line tells NEWCSDL that this is a 
background task with no associated time (the one in the last 
column sets this flag). Also note that no task is 
associated with the system line. The reset line includes a 
mask (indt). The units must be constant throughout this 
file, and in this case are listed as milliseconds. The 
timing for the contingency task pair is 100 milliseconds. 
The timing for the task alone is 100 milliseconds. This 
task is not a background task and must meet the timing 
parameters listed for the implementation to be feasible. 


All other timing parameters not listed are not required for 
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this example. Column dependencies are not preserved in this 
example to allow presentation within the format of this 
Peper. #A complete IADEFL is given in Appendix C. 

With the completion of the Primitive list and IADEFL the 
designer can submit his work to NEWCSDL for processing. 
Mere are six files which must be present to enable NEWCSDL 
Beerunmetion: NEWCSDL.COM, GLOBALS,DAT, PRIMITIVE.DAT f 
meen. DAT, RELIZE.MAC, and MONTER.DAT. The file labled 
PleeAibo-VAT 15 a file that contains all of the global variables 
mifeemale GCalled by the RELIZE.MAC file. REALIZE.MAC is the 
Mmealization library. MONTER.DAT contains primitives to 
build the software monitor. 

When these files are present, NEWCSDL can be invoked by 
typing "NEWCSDL". The program will ask the user if an 
output to the terminal is desired. AnSwering this question 
with a yes will slow processing down to a snails pace. All 
amet Gata can be output to a file to allow more rapid 
Peecessing. The next question asked is to what detail to 
build the error file. All error data are output to a file 
call FORO99.DAT. There are three modes of operation which 
are selected from a menu. Mode O dumps all error messages 
to the FORO99 file. Mode 1 dumps all error meesages and 
adds the calculations for each line, ROM and RAM pointers. 


Mode 2 dumps a detailed trace including all caiculations 
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Paren Occurred within oan primitive. With these questions 
em@owered the program will continue to process the file to 
Semipletion Or until a fatal error occurs. 

When the program terminates, the FORO99 file should be 
@eceeked first for any errors. A recommended procedure is to 
use mode 0 for initial processing through the design 
Sevaieronment. This will reduce the number of error lines 
[eeeead in the file. If errors are present and the reason is 
met ammediately obvious, print the file and rerun the 
problem using mode 2. Mode 2 produces a very large file 
with all the calculations and linkages performed by NEWCSDL. 
With a printout of the much shorter mode 0 file, a search 
can be made through the mode 2 file with the editor on the 
Peeweee find the point at which the error occurred. 

A successful run through the design environment is 
Signaled by the generation of a software listing and a 
hardware listing located in FOR0O46.DAT and FORO047.DAT 
BespectEively. Two additional files also occur; FORO021.DAT 
is an intermediate file and contains the primitive listing 
with the byte count, timing parameters, and beginning and 
ending line numbers for each primitive; FOR063.DAT 
reiterates the IADEFL.DAT file. The 2-80 listing for the 
SeaGct Controller appears in Appendix D. 

The software file can be downloaded to a Z-80 based 
machine via modem for further processing. This process will 


be discussed in the next chapter. 
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V. TESTING AND VALIDATION 


me)|6COVERVIEW 

Utescesting and validation process developed in this 
chapter follows the steps in the flowchart given in Figure 20. 
This process is iterative in nature and many loops through 
this system may be necessary before the prototype matches 
to the specifications. This is largely due to the experi- 
mental nature of the design process and immaturity of the 
realization libraries. The lack of a compiler makes the 
design process error prone because the designer is forced to 
hand compile the CSDL description. The realization libraries 
have not been validated beyond the benchchecking stage. 
This chapter will describe the method used for downloading 
programs from the VAX and the testing methodology used in 


verifying the Z-80 code generated by the design environment. 


B. DOWNLOADING 

Tieesoftware listing in the FORO46.DAT file is of little 
use while it remains in the VAX system. Some means must be 
made available to transfer this listing to the target 
Beene iton testing, debugging and implementation. There 
are two methods available to the designer. One involves the 
use of a modem, the other a communications line connected 


emuecely £O the VAX. 
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DESIGN 


DOWNLOAD 


ASSEMBLE 


LINK 
GENHEX 















Tieot 
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PROLOG 


Figure 20 Testing and Volmdation hilow Chare 
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The modem, short for modulator-demodulator, is a device 
used to communicate digital data over telephone voice grade 
circuits. A modem must exist at both ends of the communica- 
tions channel. Data from the VAX is transmitted through a 
modem, into the telephone circuit, then to the receiving 
modem, and finally into the receiving computer. Communica- 
efens Sottware must be used with both computers to set the 
Parameters of the interfaces to the modems and within the 
mecdem itself. The speed of a modem is given as a baud rate 
and must be set the same at both ends of the communications 
emennel . 

ne microcomputer lab is located on the third deck of 
Spanagel Hall and has one phone line with a 300/1200 baud 
modem attached to a single Altos microcomputer. The VAX has 
two phone lines connected to the VMS side, one used for 300 
baud communications and the other used for 1200 baud 
communication. The designer must ensure that the modem baud 
rate select switch on the modem in the microcomputer lab 1s 
set to the same speed as that selected (via the phone number 
Seabed) on the VAX). After booting up the CP/M operating 
system, the communications software can be loaded into 
either drive A or B of the Altos. Two public domain modem 
programs are available in the microlab, FCALL and MDM705. 
eenetmerCgcLam works but MDM/05 is capable of faster speeds. 
Documentation for both programs can be found on the utility 


disk located in the lab. 
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To start MDM705 simply type MDM705 and the "command" 
prompt will appear. Typing an "H" and a carriage return will 
allow the user to page through a four page help guide. To 
Seem the terminal mode type a “T" at the command prompt and 
Peiemeene Carriage return. The program is set to a default 
baud rate of 300 baud but can be changed to 1200 baud by 
Following the procedures in the MDM705.DOC file on the 
utility desk. The user must ensure that the baud rate is 
set correctly for the telephone line dialed into the VAX. 
Once the line is dialed, the VAX will initiate communications 
fee VMS Or Unix?" prompt. Typing a V at this point 
connects the user with the VMS operating system and normal 
login procedures can be used to log on to the VAX. Once the 
login procedures have been completed the "$" prompt should 
mepeak. Lype a “control Y" to open the text buffer in the 
modem program and then type "TY Filename.Filetype". The VAX 
responds by sending the file to the terminal. The user can 
see the file scroll up the screen. At the completion of the 
Peeitseemet ype a “Control R" to close the buffer. Type 
Bee@merol &° to get back to the command mode and type a "WRT" 
Moewritce the file to disk. The text buffer is approximately 
18 kilobytes long, so long files may have to be split and 
transmitted in separate pieces and then recombined after the 


transfer is complete. 
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File transfers using the communications line to the VAX 
are Similar as far as the communications software is 
concerned except that speeds up to 4800 baud can be 
utilized. For long files, this extra speed can be very 
useful. This line is normally connected to the VSM terminal 
in room 527 of Spanagel Hall and has a default setting of 
9600 baud. Unfortunately, the MDM705 software can't keep up 
with this speed. The speed can be changed at the terminal 
after logging on to the system. Once the speed has been 
changed the communications cable is disconnected from the 
terminal and reconnected to a cable attached to the Altos 
computer in the next room. With the cable set at 4800 baud, 
MDM705 software must be configured for 4800 baud as well. 

To reconfigure the baud rate to 4800 baud, use the 
procedures located in the MDM705 file. The instructions for 
file transfer from this point are the same as those for 
modem use. Be sure to reconnect the communications line to 
the terminal when finished. Logoff procedures can be 
performed at the Altos. The default baud rate of 9600 will 


be set at logoff. 


Sen FROGRAM ASSEMBLY 

Once the file has been moved to the Altos, it can be 
assembled and linked like any other assembly language 
program, with one exception. In the Prolog memory map, 
using the PROM developed by LCDR Hughes [Ref. 16: p. 22], 
Meerememory starts at 400 hex. When linking a version of 


63 





the program targeted for the Prolog system the "L" switch 
must be set to 4000. This is done by putting a [L 4000] 
after the filename when invoking the L-80 linker (ie. L-80 
eirename [L 4000]). This will cause the linker to start the 
program loading at 4000 hex (the bottom of user memory in 
mae Prolog). 

Programs destined for the Prolog system must be 
converted to a hex format before transmission to the Prolog 
system. A program called GENHEX exists on the multiuser 
Altos in the microlab which can be used to convert linked 
Files to hex format. This program will also run on a single 
user system is offloaded from the multiuser system on a 
standard IBM single density formatted eight inch floppy 
disk. The command for envoking this program is GENHEX 
filename 4000. Again the 4000 is there to force GENHEX to 
load the program starting at 4000 hex. This file contains a 
lot of storage overhead and will be approximately 46 
kilobytes in length. When loaded into the Prolog system, 
this overhead is stripped off and the file will fit within 


the Prolog system's 16 kilobyte memory. 


D. AMDS 

Files are loaded into the Prolog system by using the 
Gevelopment system created by LCDR Hughes. The Prolog 
system is connected to a single user Altos via the printer 
port. This connection is made through a flat ribbon cable 


attached to channel A of the dual UART located in the 
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Prolog's card cage. A second cable, comming from channel B 
of the dual UART, is connected to an Lier-Sigler ADM-3A 
terminal. The PROM will allow communication between the 
ADM-3A and the Prolog system for examining memory locations 
and changing values of memory locations. Uploading and 
downloading of programs to the Prolog system must take place 
through the Altos using a program called AMDS.COM. AMDS 
interfaces with the Altos and communicates with the Prolog 
system to cregte an effective work station. To transfer a 
file to the Prolog, select option "G" from the menu. AMDS 
will ask for the filename. After the filename is entered, 
AMDS will read the file into the Altos memory and download 
it to the Prolog. When the transfer is complete, AMDS will 
return to the main menu. Other options include dumping 
Prolog memory to the Altos screen, changing or revising 
values in memory, executing programs stored on the Prolog 
and locating specific byte sequences within memory. A 
complete users manual to the AMDS system can be found in 


Bledes thesis. [Ref. 17: pp. 39-60] 


Pewee SENCH TEST 

The first run of the sample problem proved to be a 
Maing experience. All of the code in the 2-80 realization 
library was developed as separate primitives. When linked 
together to form a single unit, some primitives yielded 
unexpected results. A careful bench-check revealed some 


subtle problems in the monitor section. The "s.tabent”" 
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primitive is responsible for building calls to the 
procedures listed in the primitive list. It added an "t" to 
the beginning of every contingency label and an "i" to the 
end of every task label. This would have caused fatal 
errors being generated within the assembler. Obviously 


Changes had to be made to the s.tabent primitive. 


ie CHANGING RELIZE.MAC 

Smomnges, tO the primitive listing are not difficult but 
require the use of a format program. RELIZE.MAC must be 
stored as an 80 column card image file. This means that 
each line in the file must be padded to take the full 80 
column card image when it is stored. Any changes made 
directly to RELIZE.MAC using the VAX editor will cause all 
lines to be stored as variable length lines. The procedure 
1s to edit the realization library file in a version called 
INNAME.DAT, then invoke a program called FORMAT. The format 
program will build 80 column card images and an index from 
the primitive title lines and store theresults ina file 
designated by the user. The output file can be named 
REALIZE.MAC or stored under another file name for later use. 
The "s.tabent" primitive was changed using this procedure to 


memove the extra letter it inserted. 


Seo be TEST CASE 
Further checking revealed problems with the start 


addresses for the ROM and RAM pointers. These values are 
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entered in the GLOBALS file and are used as memory pointers 
for program instructions, variables and the stack. The 
Prolog memory map starts the user's memory at 4000 hex. The 
top of user memory is at 7fff hex or 32767 decimal. The 
pointers had been set to 4136 decimal and 36812 decimal. 
Changes were made to reflect the correct addressing scheme. 

It became obvious that debugging 32 pages of 2-80 
assembly language code was going to be a nontrival task. 
Time was slipping by and the major goals of this vroject had 
not been attained. A smaller program was needed which could 
be used to develop debugging methods for future work. The 
main elements in the test case were to test the primitives 
used in the IF-THEN construct and the output primitive, 
"S,outled". These primitives were the most used primitives 
in the sample problem. 

A short program was developed using the Z-80 realization 
mleraGyewareh would flash .an LED on the Prolog's front 
panel. The time for the LED to be turned on and off was 
determined by a counter which counts from 0 to 32,000. The 
counter value was tested using the IF-THEN construct and 
when the test passed would toggle the LED on and off. The 
Drimitive listing was processed using the procedures 
previously described. The program flow chart, primitive 
listing and timing application table appear in Appendix E. 
Assembly, linkage and conversion to the hex format proved to 


be a simple task and no vroblems were encountered. 
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Downloading to the Prolog system also went smoothly. It did 
Bee, 2OWeVer, Execute properly and would not activate the 


led on the front panel. 


Eee leSLTING USING ZSID 

The testing of software produced by the design environ- 
ment is simplified somewhat by the use of a CP/M type 
Operating system. Digital Research's ZSID is an excellent 
tool for debugging and was used extensively in this project. 
After linking, ZSID was used to step through the program to 
check for proper operation. Logic errors and sequencing 
errors were easy to find using this technique. 

ZSID can be used to trace programs loading at 4000 hex 
by using the following procedure. Invoke ZSID by typing 
Psupetalename-:filetype". ZSID will load the file starting 
at 100 hex. Attempts to execute a program with absolute 
jumps designed for a starting address of 4000 hex will cause 
the program to execute improperly. To move the program to a 
Start address of 4000 hex type "M 100,5000,4000". This 
command will move a block of code starting at 100 hex and 
ending at 5000 hex to a start address of 4000 hex. The 
upper boundary of this block should be the same as the upper 
boundary for the program being tested. To set the program 
counter at 4000 hex type "G4000,4000". This command will 
set the program counter and set a break point at 4000 hex to 
Mabe Gesecution. The trace mode of ZSID is used to actually 


Beowmeaeougm ene program and 1S invoked by "T,100 control p”. 
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This command causes ZSID to trace through the first 100 

Beeps Of the program and put the results on a printer. The 
printout 1s optional but highly recommended as ZSID's trace 
function is very quick and data will scroll up the terminal 


moo fast to be read. 


ie) PROBLEMS DISCOVERED 

The use of this test method revealed several problems 
fieemeene realization library. Two logic errors in the 
monitor section caused the program to halt before 
iweeializing variables and constants. The normal program 
meeweiS tO build the stack in high memory, initialize all 
hardware, and then do the software initializations. 
Software initializations are defined by the "s.initalcons" 
Srameeive, The "S.initalcons” primitive heading in 
RELIZE.MAC indicates that it is to be used to "mark the 
peganming Of things to be initialized". This statement is 
misleading in the sense that program code 1S expected 
between “s.initalcons" and "S.initalend", not variable and 
constant assignments. Variables and constants are assigned 
uSing the "DEFW" assembler command. This command is not a 
2-80 instruction and is only used to tell the assembler to 
represent a particular value at a memory location. The 
result is that when the computer jumps to the start of this 
block it interprets the bytes in memory as instructions and 
not the variables these bytes actually represent. The 


PSetmrhealeons and "S.iniltend”™ primitives must be present 
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as the monitor calls the block generated by these primitives 
aS its first call. The fix is to include these two 
primitives in the primitive listing as "s.initalcons" 
followed immediately by "s.initalend" and place all variable 
Pacmeconstant primitives at the end of the primitive listing. 

A second problem occurred in the method used to test 
contingencies within the monitor. The "s.every" primitive 
sets a flag to "1" each time the contingency is called. The 
calling code within the monitor uses a "call z,<label>" 
instruction to call the associated task. The Las enuict nem 
used to generate the flag is a "cep 111111116". This results 
in subtracting a -l from 1, resulting in a positive two. 
This test will always fail and the monitor will never call 
the tasks associated with the contingencies and will 
continuously poll each contingency, fail, and accomplish 
absolutely nothing. A simple repair was made to the 
Somevecy Primitive to load a “11l111111b" into the 
eontingency's flag to allevaite the problem. 

The next test run on the Prolog system, with changes 
made to the primitive list and realization library, produced 
Seeeeacomeniitehn activated the LED on the Prolog front panel 
pwMEmvoulaenoe EUurn it Off. The “s.outled"™ primitive was the 
ier this case, Tt was not designed to turn off a 
MmPrmen turin Jt On. A Change to the logic structure 
within the primitive allows the designer to select the LED 


and turn it on or off as desired. This change produced a 
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working model, one which was Peeece generated by ae 
design environment. 

At this point the CSDL design environment had produced 
Pos f£erst moe yin PitAOugi trivial in nature, Le 
Proves that a microprocessor-based controller can be 
specified using the design environment and usable hardware 


and software listings generated. 
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VI. CONCLUSIONS AND RECOMMENDATIONS 


The completely successful completion of this project 
would have yielded a complete the gas turbine start 
Sem@eroller, but time ran out. The major objectives of this 
thesis have been accomplished, however, by completing a much 
Simpler test case. It was developed using the design 
technigues developed for the start controller and proves 
that the design environment is capable of producing 2-80 
code which can be assembled, linked, loaded on the target 
machine and executed. 

A major research effort remains in the construction and 
validation of the realization libraries. Most of the errors 
encountered were from subtle logic errors or errors of 
omission when the primitives were constructed. As has been 
shown, some primitives exhibit qualities which were not 
expected when they were originally designed. A series of 
small test cases are needed to reduce the scope of the task 
of validating primitives and to reduce the complexity of the 
programming required. 

Some method should also be developed to freeze the 
hardware design and allow the designer to make changes in 
eMemoem@avitoral description. If the design includes the 
fabrication of circuit boards from discrete components, a 


major investment in labor and materials will have been mace. 
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To make small changes in the behavioral deseription which 
requires a major hardware change may not be cost effective. 
The designer should be allowed to freeze a hardware design 
and see if the new behavior can be supported with a new 
software package. The design environment can test the 
feasibility of this new design and report back if the design 


Pavinronment cannot support this change. 
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